mleku/next.orly.dev
1
0
Fork 1
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ea4a54c5e7ae254b90156c6b423b8bfce8795cb4
next.orly.dev/app/server.go
mleku ea4a54c5e7 Add Cashu blind signature access tokens (NIP-XX draft) 
Implements privacy-preserving bearer tokens for relay access control using
Cashu-style blind signatures. Tokens prove whitelist membership without
linking issuance to usage.

Features:
- BDHKE crypto primitives (HashToCurve, Blind, Sign, Unblind, Verify)
- Keyset management with weekly rotation
- Token format with kind permissions and scope isolation
- Generic issuer/verifier with pluggable authorization
- HTTP endpoints: POST /cashu/mint, GET /cashu/keysets, GET /cashu/info
- ACL adapter bridging ORLY's access control to Cashu AuthzChecker
- Stateless revocation via ACL re-check on each token use
- Two-token rotation for seamless renewal (max 2 weeks after blacklist)

Configuration:
- ORLY_CASHU_ENABLED: Enable Cashu tokens
- ORLY_CASHU_TOKEN_TTL: Token validity (default: 1 week)
- ORLY_CASHU_SCOPES: Allowed scopes (relay, nip46, blossom, api)
- ORLY_CASHU_REAUTHORIZE: Re-check ACL on each verification

Files:
- pkg/cashu/bdhke/: Core blind signature cryptography
- pkg/cashu/keyset/: Keyset management and rotation
- pkg/cashu/token/: Token format with kind permissions
- pkg/cashu/issuer/: Token issuance with authorization
- pkg/cashu/verifier/: Token verification with middleware
- pkg/interfaces/cashu/: AuthzChecker, KeysetStore interfaces
- pkg/bunker/acl_adapter.go: ORLY ACL integration
- app/handle-cashu.go: HTTP endpoints
- docs/NIP-XX-CASHU-ACCESS-TOKENS.md: Full specification

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 11:30:11 +02:00

1502 lines
43 KiB
Go
Raw Blame History

package app
import (
"context"
"encoding/json"
"fmt"
"io"
"log"
"net/http"
"net/http/httputil"
"net/url"
"strconv"
"strings"
"sync"
"time"
"lol.mleku.dev/chk"
"next.orly.dev/app/config"
"next.orly.dev/pkg/acl"
"next.orly.dev/pkg/blossom"
"next.orly.dev/pkg/database"
"next.orly.dev/pkg/event/authorization"
"next.orly.dev/pkg/event/processing"
"next.orly.dev/pkg/event/routing"
"next.orly.dev/pkg/event/validation"
"git.mleku.dev/mleku/nostr/encoders/event"
"git.mleku.dev/mleku/nostr/encoders/filter"
"git.mleku.dev/mleku/nostr/encoders/hex"
"git.mleku.dev/mleku/nostr/encoders/tag"
"next.orly.dev/pkg/policy"
"git.mleku.dev/mleku/nostr/protocol/auth"
"git.mleku.dev/mleku/nostr/httpauth"
"next.orly.dev/pkg/protocol/graph"
"next.orly.dev/pkg/protocol/nip43"
"next.orly.dev/pkg/protocol/publish"
"next.orly.dev/pkg/bunker"
"next.orly.dev/pkg/cashu/issuer"
"next.orly.dev/pkg/cashu/verifier"
"next.orly.dev/pkg/ratelimit"
"next.orly.dev/pkg/spider"
dsync "next.orly.dev/pkg/sync"
"next.orly.dev/pkg/wireguard"
)
type Server struct {
mux *http.ServeMux
Config *config.C
Ctx context.Context
publishers *publish.S
Admins [][]byte
Owners [][]byte
DB database.Database // Changed from embedded *database.D to interface field
// optional reverse proxy for dev web server
devProxy *httputil.ReverseProxy
// Challenge storage for HTTP UI authentication
challengeMutex sync.RWMutex
challenges map[string][]byte
// Message processing pause mutex for policy/follow list updates
// Use RLock() for normal message processing, Lock() for updates
messagePauseMutex sync.RWMutex
paymentProcessor *PaymentProcessor
sprocketManager *SprocketManager
policyManager *policy.P
spiderManager *spider.Spider
directorySpider *spider.DirectorySpider
syncManager *dsync.Manager
relayGroupMgr *dsync.RelayGroupManager
clusterManager *dsync.ClusterManager
blossomServer *blossom.Server
InviteManager *nip43.InviteManager
graphExecutor *graph.Executor
rateLimiter *ratelimit.Limiter
cfg *config.C
db database.Database // Changed from *database.D to interface
// Domain services for event handling
eventValidator *validation.Service
eventAuthorizer *authorization.Service
eventRouter *routing.DefaultRouter
eventProcessor *processing.Service
// WireGuard VPN and NIP-46 Bunker
wireguardServer *wireguard.Server
bunkerServer *bunker.Server
subnetPool *wireguard.SubnetPool
// Cashu access token system (NIP-XX)
CashuIssuer *issuer.Issuer
CashuVerifier *verifier.Verifier
}
// isIPBlacklisted checks if an IP address is blacklisted using the managed ACL system
func (s *Server) isIPBlacklisted(remote string) bool {
// Extract IP from remote address (e.g., "192.168.1.1:12345" -> "192.168.1.1")
remoteIP := strings.Split(remote, ":")[0]
// Check static IP blacklist from config first
if len(s.Config.IPBlacklist) > 0 {
for _, blocked := range s.Config.IPBlacklist {
// Allow simple prefix matching for subnets (e.g., "192.168" matches 192.168.0.0/16)
if blocked != "" && strings.HasPrefix(remoteIP, blocked) {
return true
}
}
}
// Check if managed ACL is available and active
if s.Config.ACLMode == "managed" {
for _, aclInstance := range acl.Registry.ACL {
if aclInstance.Type() == "managed" {
if managed, ok := aclInstance.(*acl.Managed); ok {
return managed.IsIPBlocked(remoteIP)
}
}
}
}
return false
}
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Check if this is a blossom-related path (needs CORS headers)
path := r.URL.Path
isBlossomPath := path == "/upload" || path == "/media" ||
path == "/mirror" || path == "/report" ||
strings.HasPrefix(path, "/list/") ||
strings.HasPrefix(path, "/blossom/") ||
(len(path) == 65 && path[0] == '/') // /<sha256> blob downloads
// Set CORS headers for all blossom-related requests
if isBlossomPath {
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, PUT, DELETE, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Authorization, authorization, Content-Type, content-type, X-SHA-256, x-sha-256, X-Content-Length, x-content-length, X-Content-Type, x-content-type, Accept, accept")
w.Header().Set("Access-Control-Expose-Headers", "X-Reason, Content-Length, Content-Type, Accept-Ranges")
w.Header().Set("Access-Control-Max-Age", "86400")
// Handle preflight OPTIONS requests for blossom paths
if r.Method == "OPTIONS" {
w.WriteHeader(http.StatusOK)
return
}
} else if r.Method == "OPTIONS" {
// Handle OPTIONS for non-blossom paths
if s.mux != nil {
s.mux.ServeHTTP(w, r)
return
}
w.WriteHeader(http.StatusOK)
return
}
// Log proxy information for debugging (only for WebSocket requests to avoid spam)
if r.Header.Get("Upgrade") == "websocket" {
LogProxyInfo(r, "HTTP request")
}
// If this is a websocket request, only intercept the relay root path.
// This allows other websocket paths (e.g., Vite HMR) to be handled by the dev proxy when enabled.
if r.Header.Get("Upgrade") == "websocket" {
if s.mux != nil && s.Config != nil && s.Config.WebDisableEmbedded && s.Config.WebDevProxyURL != "" && r.URL.Path != "/" {
// forward to mux (which will proxy to dev server)
s.mux.ServeHTTP(w, r)
return
}
s.HandleWebsocket(w, r)
return
}
if r.Header.Get("Accept") == "application/nostr+json" {
s.HandleRelayInfo(w, r)
return
}
if s.mux == nil {
http.Error(w, "Upgrade required", http.StatusUpgradeRequired)
return
}
s.mux.ServeHTTP(w, r)
}
func (s *Server) ServiceURL(req *http.Request) (url string) {
// Use configured RelayURL if available
if s.Config != nil && s.Config.RelayURL != "" {
relayURL := strings.TrimSuffix(s.Config.RelayURL, "/")
// Ensure it has a protocol
if !strings.HasPrefix(relayURL, "http://") && !strings.HasPrefix(relayURL, "https://") {
relayURL = "http://" + relayURL
}
return relayURL
}
proto := req.Header.Get("X-Forwarded-Proto")
if proto == "" {
if req.TLS != nil {
proto = "https"
} else {
proto = "http"
}
}
host := req.Header.Get("X-Forwarded-Host")
if host == "" {
host = req.Host
}
return proto + "://" + host
}
func (s *Server) WebSocketURL(req *http.Request) (url string) {
proto := req.Header.Get("X-Forwarded-Proto")
if proto == "" {
if req.TLS != nil {
proto = "wss"
} else {
proto = "ws"
}
} else {
// Convert HTTP scheme to WebSocket scheme
if proto == "https" {
proto = "wss"
} else if proto == "http" {
proto = "ws"
}
}
host := req.Header.Get("X-Forwarded-Host")
if host == "" {
host = req.Host
}
return proto + "://" + strings.TrimRight(host, "/") + "/"
}
func (s *Server) DashboardURL(req *http.Request) (url string) {
return s.ServiceURL(req) + "/"
}
// UserInterface sets up a basic Nostr NDK interface that allows users to log into the relay user interface
func (s *Server) UserInterface() {
if s.mux == nil {
s.mux = http.NewServeMux()
}
// If dev proxy is configured, initialize it
if s.Config != nil && s.Config.WebDisableEmbedded && s.Config.WebDevProxyURL != "" {
proxyURL := s.Config.WebDevProxyURL
// Add default scheme if missing to avoid: proxy error: unsupported protocol scheme ""
if !strings.Contains(proxyURL, "://") {
proxyURL = "http://" + proxyURL
}
if target, err := url.Parse(proxyURL); !chk.E(err) {
if target.Scheme == "" || target.Host == "" {
// invalid URL, disable proxy
log.Printf(
"invalid ORLY_WEB_DEV_PROXY_URL: %q — disabling dev proxy\n",
s.Config.WebDevProxyURL,
)
} else {
s.devProxy = httputil.NewSingleHostReverseProxy(target)
// Ensure Host header points to upstream for dev servers that care
origDirector := s.devProxy.Director
s.devProxy.Director = func(req *http.Request) {
origDirector(req)
req.Host = target.Host
}
// Suppress noisy "context canceled" errors from browser navigation
s.devProxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
if r.Context().Err() == context.Canceled {
// Browser canceled the request - this is normal, don't log it
return
}
log.Printf("proxy error: %v", err)
http.Error(w, "Bad Gateway", http.StatusBadGateway)
}
}
}
}
// Initialize challenge storage if not already done
if s.challenges == nil {
s.challengeMutex.Lock()
s.challenges = make(map[string][]byte)
s.challengeMutex.Unlock()
}
// Serve favicon.ico by serving orly-favicon.png
s.mux.HandleFunc("/favicon.ico", s.handleFavicon)
// Serve the main login interface (and static assets) or proxy in dev mode
s.mux.HandleFunc("/", s.handleLoginInterface)
// API endpoints for authentication
s.mux.HandleFunc("/api/auth/challenge", s.handleAuthChallenge)
s.mux.HandleFunc("/api/auth/login", s.handleAuthLogin)
s.mux.HandleFunc("/api/auth/status", s.handleAuthStatus)
s.mux.HandleFunc("/api/auth/logout", s.handleAuthLogout)
s.mux.HandleFunc("/api/permissions/", s.handlePermissions)
// Export endpoint
s.mux.HandleFunc("/api/export", s.handleExport)
// Events endpoints
s.mux.HandleFunc("/api/events/mine", s.handleEventsMine)
// Import endpoint (admin only)
s.mux.HandleFunc("/api/import", s.handleImport)
// Sprocket endpoints (owner only)
s.mux.HandleFunc("/api/sprocket/status", s.handleSprocketStatus)
s.mux.HandleFunc("/api/sprocket/update", s.handleSprocketUpdate)
s.mux.HandleFunc("/api/sprocket/restart", s.handleSprocketRestart)
s.mux.HandleFunc("/api/sprocket/versions", s.handleSprocketVersions)
s.mux.HandleFunc(
"/api/sprocket/delete-version", s.handleSprocketDeleteVersion,
)
s.mux.HandleFunc("/api/sprocket/config", s.handleSprocketConfig)
// NIP-86 management endpoint
s.mux.HandleFunc("/api/nip86", s.handleNIP86Management)
// ACL mode endpoint
s.mux.HandleFunc("/api/acl-mode", s.handleACLMode)
// Log viewer endpoints (owner only)
s.mux.HandleFunc("/api/logs", s.handleGetLogs)
s.mux.HandleFunc("/api/logs/clear", s.handleClearLogs)
s.mux.HandleFunc("/api/logs/level", s.handleLogLevel)
// Sync endpoints for distributed synchronization
if s.syncManager != nil {
s.mux.HandleFunc("/api/sync/current", s.handleSyncCurrent)
s.mux.HandleFunc("/api/sync/event-ids", s.handleSyncEventIDs)
log.Printf("Distributed sync API enabled at /api/sync")
}
// Blossom blob storage API endpoint
if s.blossomServer != nil {
// Primary routes under /blossom/
s.mux.HandleFunc("/blossom/", s.blossomHandler)
// Root-level routes for clients that expect blossom at root (like Jumble)
s.mux.HandleFunc("/upload", s.blossomRootHandler)
s.mux.HandleFunc("/list/", s.blossomRootHandler)
s.mux.HandleFunc("/media", s.blossomRootHandler)
s.mux.HandleFunc("/mirror", s.blossomRootHandler)
s.mux.HandleFunc("/report", s.blossomRootHandler)
log.Printf("Blossom blob storage API enabled at /blossom and root")
} else {
log.Printf("WARNING: Blossom server is nil, routes not registered")
}
// Cluster replication API endpoints
if s.clusterManager != nil {
s.mux.HandleFunc("/cluster/latest", s.clusterManager.HandleLatestSerial)
s.mux.HandleFunc("/cluster/events", s.clusterManager.HandleEventsRange)
log.Printf("Cluster replication API enabled at /cluster")
}
// WireGuard VPN and Bunker API endpoints
// These are always registered but will return errors if not enabled
s.mux.HandleFunc("/api/wireguard/config", s.handleWireGuardConfig)
s.mux.HandleFunc("/api/wireguard/regenerate", s.handleWireGuardRegenerate)
s.mux.HandleFunc("/api/wireguard/status", s.handleWireGuardStatus)
s.mux.HandleFunc("/api/wireguard/audit", s.handleWireGuardAudit)
s.mux.HandleFunc("/api/bunker/url", s.handleBunkerURL)
// Cashu access token endpoints (NIP-XX)
s.mux.HandleFunc("/cashu/mint", s.handleCashuMint)
s.mux.HandleFunc("/cashu/keysets", s.handleCashuKeysets)
s.mux.HandleFunc("/cashu/info", s.handleCashuInfo)
if s.CashuIssuer != nil {
log.Printf("Cashu access token API enabled at /cashu")
}
}
// handleFavicon serves orly-favicon.png as favicon.ico
func (s *Server) handleFavicon(w http.ResponseWriter, r *http.Request) {
// In dev mode with proxy configured, forward to dev server
if s.devProxy != nil {
s.devProxy.ServeHTTP(w, r)
return
}
// If web UI is disabled without a proxy, return 404
if s.Config != nil && s.Config.WebDisableEmbedded {
http.NotFound(w, r)
return
}
// Serve orly-favicon.png as favicon.ico from embedded web app
w.Header().Set("Content-Type", "image/png")
w.Header().Set("Cache-Control", "public, max-age=86400") // Cache for 1 day
// Create a request for orly-favicon.png and serve it
faviconReq := &http.Request{
Method: "GET",
URL: &url.URL{Path: "/orly-favicon.png"},
}
ServeEmbeddedWeb(w, faviconReq)
}
// handleLoginInterface serves the main user interface for login
func (s *Server) handleLoginInterface(w http.ResponseWriter, r *http.Request) {
// In dev mode with proxy configured, forward to dev server
if s.devProxy != nil {
s.devProxy.ServeHTTP(w, r)
return
}
// If web UI is disabled without a proxy, return 404
if s.Config != nil && s.Config.WebDisableEmbedded {
http.NotFound(w, r)
return
}
// Serve embedded web interface
ServeEmbeddedWeb(w, r)
}
// handleAuthChallenge generates a new authentication challenge
func (s *Server) handleAuthChallenge(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
w.Header().Set("Content-Type", "application/json")
// Generate a new challenge
challenge := auth.GenerateChallenge()
challengeHex := hex.Enc(challenge)
// Store the challenge with expiration (5 minutes)
s.challengeMutex.Lock()
if s.challenges == nil {
s.challenges = make(map[string][]byte)
}
s.challenges[challengeHex] = challenge
s.challengeMutex.Unlock()
// Clean up expired challenges
go func() {
time.Sleep(5 * time.Minute)
s.challengeMutex.Lock()
delete(s.challenges, challengeHex)
s.challengeMutex.Unlock()
}()
// Return the challenge
response := struct {
Challenge string `json:"challenge"`
}{
Challenge: challengeHex,
}
jsonData, err := json.Marshal(response)
if chk.E(err) {
http.Error(
w, "Error generating challenge", http.StatusInternalServerError,
)
return
}
w.Write(jsonData)
}
// handleAuthLogin processes authentication requests
func (s *Server) handleAuthLogin(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
w.Header().Set("Content-Type", "application/json")
// Read the request body
body, err := io.ReadAll(r.Body)
if chk.E(err) {
w.Write([]byte(`{"success": false, "error": "Failed to read request body"}`))
return
}
// Parse the signed event
var evt event.E
if err = json.Unmarshal(body, &evt); chk.E(err) {
w.Write([]byte(`{"success": false, "error": "Invalid event format"}`))
return
}
// Extract the challenge from the event to look up the stored challenge
challengeTag := evt.Tags.GetFirst([]byte("challenge"))
if challengeTag == nil {
w.Write([]byte(`{"success": false, "error": "Challenge tag missing from event"}`))
return
}
challengeHex := string(challengeTag.Value())
// Retrieve the stored challenge
s.challengeMutex.RLock()
_, exists := s.challenges[challengeHex]
s.challengeMutex.RUnlock()
if !exists {
w.Write([]byte(`{"success": false, "error": "Invalid or expired challenge"}`))
return
}
// Clean up the used challenge
s.challengeMutex.Lock()
delete(s.challenges, challengeHex)
s.challengeMutex.Unlock()
relayURL := s.WebSocketURL(r)
// Validate the authentication event with the correct challenge
// The challenge in the event tag is hex-encoded, so we need to pass the hex string as bytes
ok, err := auth.Validate(&evt, []byte(challengeHex), relayURL)
if chk.E(err) || !ok {
errorMsg := "Authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
w.Write([]byte(`{"success": false, "error": "` + errorMsg + `"}`))
return
}
// Authentication successful: set a simple session cookie with the pubkey
cookie := &http.Cookie{
Name: "orly_auth",
Value: hex.Enc(evt.Pubkey),
Path: "/",
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
MaxAge: 60 * 60 * 24 * 30, // 30 days
}
http.SetCookie(w, cookie)
w.Write([]byte(`{"success": true}`))
}
// handleAuthStatus checks if the user is authenticated
func (s *Server) handleAuthStatus(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
w.Header().Set("Content-Type", "application/json")
// Check for auth cookie
c, err := r.Cookie("orly_auth")
if err != nil || c.Value == "" {
w.Write([]byte(`{"authenticated": false}`))
return
}
// Validate the pubkey format
pubkey, err := hex.Dec(c.Value)
if chk.E(err) {
w.Write([]byte(`{"authenticated": false}`))
return
}
// Get user permissions
permission := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
response := struct {
Authenticated bool `json:"authenticated"`
Pubkey string `json:"pubkey"`
Permission string `json:"permission"`
}{
Authenticated: true,
Pubkey: c.Value,
Permission: permission,
}
jsonData, err := json.Marshal(response)
if chk.E(err) {
w.Write([]byte(`{"authenticated": false}`))
return
}
w.Write(jsonData)
}
// handleAuthLogout clears the authentication cookie
func (s *Server) handleAuthLogout(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
w.Header().Set("Content-Type", "application/json")
// Clear the auth cookie
cookie := &http.Cookie{
Name: "orly_auth",
Value: "",
Path: "/",
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
MaxAge: -1, // Expire immediately
}
http.SetCookie(w, cookie)
w.Write([]byte(`{"success": true}`))
}
// handlePermissions returns the permission level for a given pubkey
func (s *Server) handlePermissions(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Extract pubkey from URL path
pubkeyHex := strings.TrimPrefix(r.URL.Path, "/api/permissions/")
if pubkeyHex == "" || pubkeyHex == "/" {
http.Error(w, "Invalid pubkey", http.StatusBadRequest)
return
}
// Convert hex to binary pubkey
pubkey, err := hex.Dec(pubkeyHex)
if chk.E(err) {
http.Error(w, "Invalid pubkey format", http.StatusBadRequest)
return
}
// Get access level using acl registry
permission := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
// Set content type and write JSON response
w.Header().Set("Content-Type", "application/json")
// Format response as proper JSON
response := struct {
Permission string `json:"permission"`
}{
Permission: permission,
}
// Marshal and write the response
jsonData, err := json.Marshal(response)
if chk.E(err) {
http.Error(
w, "Error generating response", http.StatusInternalServerError,
)
return
}
w.Write(jsonData)
}
// handleExport streams events as JSONL (NDJSON) using NIP-98 authentication.
// Supports both GET (query params) and POST (JSON body) for pubkey filtering.
func (s *Server) handleExport(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet && r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Skip authentication and permission checks when ACL is "none" (open relay mode)
if acl.Registry.Active.Load() != "none" {
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if chk.E(err) || !valid {
errorMsg := "NIP-98 authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
http.Error(w, errorMsg, http.StatusUnauthorized)
return
}
// Check permissions - require write, admin, or owner level
accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
if accessLevel != "write" && accessLevel != "admin" && accessLevel != "owner" {
http.Error(
w, "Write, admin, or owner permission required",
http.StatusForbidden,
)
return
}
}
// Parse pubkeys from request
var pks [][]byte
if r.Method == http.MethodPost {
// Parse JSON body for pubkeys
var requestBody struct {
Pubkeys []string `json:"pubkeys"`
}
if err := json.NewDecoder(r.Body).Decode(&requestBody); err == nil {
// If JSON parsing succeeds, use pubkeys from body
for _, pkHex := range requestBody.Pubkeys {
if pkHex == "" {
continue
}
if pk, err := hex.Dec(pkHex); !chk.E(err) {
pks = append(pks, pk)
}
}
}
// If JSON parsing fails, fall back to empty pubkeys (export all)
} else {
// GET method - parse query parameters
q := r.URL.Query()
for _, pkHex := range q["pubkey"] {
if pkHex == "" {
continue
}
if pk, err := hex.Dec(pkHex); !chk.E(err) {
pks = append(pks, pk)
}
}
}
// Determine filename based on whether filtering by pubkeys
var filename string
if len(pks) == 0 {
filename = "all-events-" + time.Now().UTC().Format("20060102-150405Z") + ".jsonl"
} else if len(pks) == 1 {
filename = "my-events-" + time.Now().UTC().Format("20060102-150405Z") + ".jsonl"
} else {
filename = "filtered-events-" + time.Now().UTC().Format("20060102-150405Z") + ".jsonl"
}
w.Header().Set("Content-Type", "application/x-ndjson")
w.Header().Set(
"Content-Disposition", "attachment; filename=\""+filename+"\"",
)
// Stream export
s.DB.Export(s.Ctx, w, pks...)
}
// handleEventsMine returns the authenticated user's events in JSON format with pagination using NIP-98 authentication.
func (s *Server) handleEventsMine(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if chk.E(err) || !valid {
errorMsg := "NIP-98 authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
http.Error(w, errorMsg, http.StatusUnauthorized)
return
}
// Parse pagination parameters
query := r.URL.Query()
limit := 50 // default limit
if l := query.Get("limit"); l != "" {
if parsed, err := strconv.Atoi(l); err == nil && parsed > 0 && parsed <= 100 {
limit = parsed
}
}
offset := 0
if o := query.Get("offset"); o != "" {
if parsed, err := strconv.Atoi(o); err == nil && parsed >= 0 {
offset = parsed
}
}
// Use QueryEvents with filter for this user's events
f := &filter.F{
Authors: tag.NewFromBytesSlice(pubkey),
}
log.Printf("DEBUG: Querying events for pubkey: %s", hex.Enc(pubkey))
events, err := s.DB.QueryEvents(s.Ctx, f)
if chk.E(err) {
log.Printf("DEBUG: QueryEvents failed: %v", err)
http.Error(w, "Failed to query events", http.StatusInternalServerError)
return
}
log.Printf("DEBUG: QueryEvents returned %d events", len(events))
// Apply pagination
totalEvents := len(events)
if offset >= totalEvents {
events = event.S{} // Empty slice
} else {
end := offset + limit
if end > totalEvents {
end = totalEvents
}
events = events[offset:end]
}
// Set content type and write JSON response
w.Header().Set("Content-Type", "application/json")
// Format response as proper JSON
response := struct {
Events []*event.E `json:"events"`
Total int `json:"total"`
Limit int `json:"limit"`
Offset int `json:"offset"`
}{
Events: events,
Total: totalEvents,
Limit: limit,
Offset: offset,
}
// Marshal and write the response
jsonData, err := json.Marshal(response)
if chk.E(err) {
http.Error(
w, "Error generating response", http.StatusInternalServerError,
)
return
}
w.Write(jsonData)
}
// handleImport receives a JSONL/NDJSON file or body and enqueues an async import using NIP-98 authentication. Admins only.
func (s *Server) handleImport(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Skip authentication and permission checks when ACL is "none" (open relay mode)
if acl.Registry.Active.Load() != "none" {
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if chk.E(err) || !valid {
errorMsg := "NIP-98 authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
http.Error(w, errorMsg, http.StatusUnauthorized)
return
}
// Check permissions - require admin or owner level
accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
if accessLevel != "admin" && accessLevel != "owner" {
http.Error(
w, "Admin or owner permission required", http.StatusForbidden,
)
return
}
}
ct := r.Header.Get("Content-Type")
if strings.HasPrefix(ct, "multipart/form-data") {
if err := r.ParseMultipartForm(32 << 20); chk.E(err) { // 32MB memory, rest to temp files
http.Error(w, "Failed to parse form", http.StatusBadRequest)
return
}
file, _, err := r.FormFile("file")
if chk.E(err) {
http.Error(w, "Missing file", http.StatusBadRequest)
return
}
defer file.Close()
s.DB.Import(file)
} else {
if r.Body == nil {
http.Error(w, "Empty request body", http.StatusBadRequest)
return
}
s.DB.Import(r.Body)
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusAccepted)
w.Write([]byte(`{"success": true, "message": "Import started"}`))
}
// handleSprocketStatus returns the current status of the sprocket script
func (s *Server) handleSprocketStatus(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if chk.E(err) || !valid {
errorMsg := "NIP-98 authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
http.Error(w, errorMsg, http.StatusUnauthorized)
return
}
// Check permissions - require owner level
accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
if accessLevel != "owner" {
http.Error(w, "Owner permission required", http.StatusForbidden)
return
}
status := s.sprocketManager.GetSprocketStatus()
w.Header().Set("Content-Type", "application/json")
jsonData, err := json.Marshal(status)
if chk.E(err) {
http.Error(
w, "Error generating response", http.StatusInternalServerError,
)
return
}
w.Write(jsonData)
}
// handleSprocketUpdate updates the sprocket script and restarts it
func (s *Server) handleSprocketUpdate(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if chk.E(err) || !valid {
errorMsg := "NIP-98 authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
http.Error(w, errorMsg, http.StatusUnauthorized)
return
}
// Check permissions - require owner level
accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
if accessLevel != "owner" {
http.Error(w, "Owner permission required", http.StatusForbidden)
return
}
// Read the request body
body, err := io.ReadAll(r.Body)
if chk.E(err) {
http.Error(w, "Failed to read request body", http.StatusBadRequest)
return
}
// Update the sprocket script
if err := s.sprocketManager.UpdateSprocket(string(body)); chk.E(err) {
http.Error(
w, fmt.Sprintf("Failed to update sprocket: %v", err),
http.StatusInternalServerError,
)
return
}
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"success": true, "message": "Sprocket updated successfully"}`))
}
// handleSprocketRestart restarts the sprocket script
func (s *Server) handleSprocketRestart(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if chk.E(err) || !valid {
errorMsg := "NIP-98 authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
http.Error(w, errorMsg, http.StatusUnauthorized)
return
}
// Check permissions - require owner level
accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
if accessLevel != "owner" {
http.Error(w, "Owner permission required", http.StatusForbidden)
return
}
// Restart the sprocket script
if err := s.sprocketManager.RestartSprocket(); chk.E(err) {
http.Error(
w, fmt.Sprintf("Failed to restart sprocket: %v", err),
http.StatusInternalServerError,
)
return
}
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"success": true, "message": "Sprocket restarted successfully"}`))
}
// handleSprocketVersions returns all sprocket script versions
func (s *Server) handleSprocketVersions(
w http.ResponseWriter, r *http.Request,
) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if chk.E(err) || !valid {
errorMsg := "NIP-98 authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
http.Error(w, errorMsg, http.StatusUnauthorized)
return
}
// Check permissions - require owner level
accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
if accessLevel != "owner" {
http.Error(w, "Owner permission required", http.StatusForbidden)
return
}
versions, err := s.sprocketManager.GetSprocketVersions()
if chk.E(err) {
http.Error(
w, fmt.Sprintf("Failed to get sprocket versions: %v", err),
http.StatusInternalServerError,
)
return
}
w.Header().Set("Content-Type", "application/json")
jsonData, err := json.Marshal(versions)
if chk.E(err) {
http.Error(
w, "Error generating response", http.StatusInternalServerError,
)
return
}
w.Write(jsonData)
}
// handleSprocketDeleteVersion deletes a specific sprocket version
func (s *Server) handleSprocketDeleteVersion(
w http.ResponseWriter, r *http.Request,
) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if chk.E(err) || !valid {
errorMsg := "NIP-98 authentication validation failed"
if err != nil {
errorMsg = err.Error()
}
http.Error(w, errorMsg, http.StatusUnauthorized)
return
}
// Check permissions - require owner level
accessLevel := acl.Registry.GetAccessLevel(pubkey, r.RemoteAddr)
if accessLevel != "owner" {
http.Error(w, "Owner permission required", http.StatusForbidden)
return
}
// Read the request body
body, err := io.ReadAll(r.Body)
if chk.E(err) {
http.Error(w, "Failed to read request body", http.StatusBadRequest)
return
}
var request struct {
Filename string `json:"filename"`
}
if err := json.Unmarshal(body, &request); chk.E(err) {
http.Error(w, "Invalid JSON in request body", http.StatusBadRequest)
return
}
if request.Filename == "" {
http.Error(w, "Filename is required", http.StatusBadRequest)
return
}
// Delete the sprocket version
if err := s.sprocketManager.DeleteSprocketVersion(request.Filename); chk.E(err) {
http.Error(
w, fmt.Sprintf("Failed to delete sprocket version: %v", err),
http.StatusInternalServerError,
)
return
}
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"success": true, "message": "Sprocket version deleted successfully"}`))
}
// handleSprocketConfig returns the sprocket configuration status
func (s *Server) handleSprocketConfig(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
w.Header().Set("Content-Type", "application/json")
response := struct {
Enabled bool `json:"enabled"`
}{
Enabled: s.Config.SprocketEnabled,
}
jsonData, err := json.Marshal(response)
if chk.E(err) {
http.Error(
w, "Error generating response", http.StatusInternalServerError,
)
return
}
w.Write(jsonData)
}
// handleACLMode returns the current ACL mode
func (s *Server) handleACLMode(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
w.Header().Set("Content-Type", "application/json")
response := struct {
ACLMode string `json:"acl_mode"`
}{
ACLMode: acl.Registry.Type(),
}
jsonData, err := json.Marshal(response)
if chk.E(err) {
http.Error(
w, "Error generating response", http.StatusInternalServerError,
)
return
}
w.Write(jsonData)
}
// handleSyncCurrent handles requests for the current serial number
func (s *Server) handleSyncCurrent(w http.ResponseWriter, r *http.Request) {
if s.syncManager == nil {
http.Error(
w, "Sync manager not initialized", http.StatusServiceUnavailable,
)
return
}
// Validate NIP-98 authentication and check peer authorization
if !s.validatePeerRequest(w, r) {
return
}
s.syncManager.HandleCurrentRequest(w, r)
}
// handleSyncEventIDs handles requests for event IDs with their serial numbers
func (s *Server) handleSyncEventIDs(w http.ResponseWriter, r *http.Request) {
if s.syncManager == nil {
http.Error(
w, "Sync manager not initialized", http.StatusServiceUnavailable,
)
return
}
// Validate NIP-98 authentication and check peer authorization
if !s.validatePeerRequest(w, r) {
return
}
s.syncManager.HandleEventIDsRequest(w, r)
}
// validatePeerRequest validates NIP-98 authentication and checks if the requesting peer is authorized
func (s *Server) validatePeerRequest(
w http.ResponseWriter, r *http.Request,
) bool {
// Validate NIP-98 authentication
valid, pubkey, err := httpauth.CheckAuth(r)
if err != nil {
log.Printf("NIP-98 auth validation error: %v", err)
http.Error(
w, "Authentication validation failed", http.StatusUnauthorized,
)
return false
}
if !valid {
http.Error(w, "NIP-98 authentication required", http.StatusUnauthorized)
return false
}
if s.syncManager == nil {
log.Printf("Sync manager not available for peer validation")
http.Error(w, "Service unavailable", http.StatusServiceUnavailable)
return false
}
// Extract the relay URL from the request (this should be in the request body)
// For now, we'll check against all configured peers
peerPubkeyHex := hex.Enc(pubkey)
// Check if this pubkey matches any of our configured peer relays' NIP-11 pubkeys
for _, peerURL := range s.syncManager.GetPeers() {
if s.syncManager.IsAuthorizedPeer(peerURL, peerPubkeyHex) {
// Also update ACL to grant admin access to this peer pubkey
s.updatePeerAdminACL(pubkey)
return true
}
}
log.Printf("Unauthorized sync request from pubkey: %s", peerPubkeyHex)
http.Error(w, "Unauthorized peer", http.StatusForbidden)
return false
}
// updatePeerAdminACL grants admin access to peer relay identity pubkeys
func (s *Server) updatePeerAdminACL(peerPubkey []byte) {
// Find the managed ACL instance and update peer admins
for _, aclInstance := range acl.Registry.ACL {
if aclInstance.Type() == "managed" {
if managed, ok := aclInstance.(*acl.Managed); ok {
// Collect all current peer pubkeys
var peerPubkeys [][]byte
for _, peerURL := range s.syncManager.GetPeers() {
if pubkey, err := s.syncManager.GetPeerPubkey(peerURL); err == nil {
peerPubkeys = append(peerPubkeys, []byte(pubkey))
}
}
managed.UpdatePeerAdmins(peerPubkeys)
break
}
}
}
}
// =============================================================================
// Event Service Initialization
// =============================================================================
// InitEventServices initializes the domain services for event handling.
// This should be called after the Server is created but before accepting connections.
func (s *Server) InitEventServices() {
// Initialize validation service
s.eventValidator = validation.NewWithConfig(&validation.Config{
MaxFutureSeconds: 3600, // 1 hour
})
// Initialize authorization service
authCfg := &authorization.Config{
AuthRequired: s.Config.AuthRequired,
AuthToWrite: s.Config.AuthToWrite,
Admins: s.Admins,
Owners: s.Owners,
}
s.eventAuthorizer = authorization.New(
authCfg,
s.wrapAuthACLRegistry(),
s.wrapAuthPolicyManager(),
s.wrapAuthSyncManager(),
)
// Initialize router with handlers for special event kinds
s.eventRouter = routing.New()
// Register ephemeral event handler (kinds 20000-29999)
s.eventRouter.RegisterKindCheck(
"ephemeral",
routing.IsEphemeral,
routing.MakeEphemeralHandler(s.publishers),
)
// Initialize processing service
procCfg := &processing.Config{
Admins: s.Admins,
Owners: s.Owners,
WriteTimeout: 30 * time.Second,
}
s.eventProcessor = processing.New(procCfg, s.wrapDB(), s.publishers)
// Wire up optional dependencies to processing service
if s.rateLimiter != nil {
s.eventProcessor.SetRateLimiter(s.wrapRateLimiter())
}
if s.syncManager != nil {
s.eventProcessor.SetSyncManager(s.wrapSyncManager())
}
if s.relayGroupMgr != nil {
s.eventProcessor.SetRelayGroupManager(s.wrapRelayGroupManager())
}
if s.clusterManager != nil {
s.eventProcessor.SetClusterManager(s.wrapClusterManager())
}
s.eventProcessor.SetACLRegistry(s.wrapACLRegistry())
}
// Database wrapper for processing.Database interface
type processingDBWrapper struct {
db database.Database
}
func (s *Server) wrapDB() processing.Database {
return &processingDBWrapper{db: s.DB}
}
func (w *processingDBWrapper) SaveEvent(ctx context.Context, ev *event.E) (exists bool, err error) {
return w.db.SaveEvent(ctx, ev)
}
func (w *processingDBWrapper) CheckForDeleted(ev *event.E, adminOwners [][]byte) error {
return w.db.CheckForDeleted(ev, adminOwners)
}
// RateLimiter wrapper for processing.RateLimiter interface
type processingRateLimiterWrapper struct {
rl *ratelimit.Limiter
}
func (s *Server) wrapRateLimiter() processing.RateLimiter {
return &processingRateLimiterWrapper{rl: s.rateLimiter}
}
func (w *processingRateLimiterWrapper) IsEnabled() bool {
return w.rl.IsEnabled()
}
func (w *processingRateLimiterWrapper) Wait(ctx context.Context, opType int) error {
w.rl.Wait(ctx, opType)
return nil
}
// SyncManager wrapper for processing.SyncManager interface
type processingSyncManagerWrapper struct {
sm *dsync.Manager
}
func (s *Server) wrapSyncManager() processing.SyncManager {
return &processingSyncManagerWrapper{sm: s.syncManager}
}
func (w *processingSyncManagerWrapper) UpdateSerial() {
w.sm.UpdateSerial()
}
// RelayGroupManager wrapper for processing.RelayGroupManager interface
type processingRelayGroupManagerWrapper struct {
rgm *dsync.RelayGroupManager
}
func (s *Server) wrapRelayGroupManager() processing.RelayGroupManager {
return &processingRelayGroupManagerWrapper{rgm: s.relayGroupMgr}
}
func (w *processingRelayGroupManagerWrapper) ValidateRelayGroupEvent(ev *event.E) error {
return w.rgm.ValidateRelayGroupEvent(ev)
}
func (w *processingRelayGroupManagerWrapper) HandleRelayGroupEvent(ev *event.E, syncMgr any) {
if sm, ok := syncMgr.(*dsync.Manager); ok {
w.rgm.HandleRelayGroupEvent(ev, sm)
}
}
// ClusterManager wrapper for processing.ClusterManager interface
type processingClusterManagerWrapper struct {
cm *dsync.ClusterManager
}
func (s *Server) wrapClusterManager() processing.ClusterManager {
return &processingClusterManagerWrapper{cm: s.clusterManager}
}
func (w *processingClusterManagerWrapper) HandleMembershipEvent(ev *event.E) error {
return w.cm.HandleMembershipEvent(ev)
}
// ACLRegistry wrapper for processing.ACLRegistry interface
type processingACLRegistryWrapper struct{}
func (s *Server) wrapACLRegistry() processing.ACLRegistry {
return &processingACLRegistryWrapper{}
}
func (w *processingACLRegistryWrapper) Configure(cfg ...any) error {
return acl.Registry.Configure(cfg...)
}
func (w *processingACLRegistryWrapper) Active() string {
return acl.Registry.Active.Load()
}
// =============================================================================
// Authorization Service Wrappers
// =============================================================================
// ACLRegistry wrapper for authorization.ACLRegistry interface
type authACLRegistryWrapper struct{}
func (s *Server) wrapAuthACLRegistry() authorization.ACLRegistry {
return &authACLRegistryWrapper{}
}
func (w *authACLRegistryWrapper) GetAccessLevel(pub []byte, address string) string {
return acl.Registry.GetAccessLevel(pub, address)
}
func (w *authACLRegistryWrapper) CheckPolicy(ev *event.E) (bool, error) {
return acl.Registry.CheckPolicy(ev)
}
func (w *authACLRegistryWrapper) Active() string {
return acl.Registry.Active.Load()
}
// PolicyManager wrapper for authorization.PolicyManager interface
type authPolicyManagerWrapper struct {
pm *policy.P
}
func (s *Server) wrapAuthPolicyManager() authorization.PolicyManager {
if s.policyManager == nil {
return nil
}
return &authPolicyManagerWrapper{pm: s.policyManager}
}
func (w *authPolicyManagerWrapper) IsEnabled() bool {
return w.pm.IsEnabled()
}
func (w *authPolicyManagerWrapper) CheckPolicy(action string, ev *event.E, pubkey []byte, remote string) (bool, error) {
return w.pm.CheckPolicy(action, ev, pubkey, remote)
}
// SyncManager wrapper for authorization.SyncManager interface
type authSyncManagerWrapper struct {
sm *dsync.Manager
}
func (s *Server) wrapAuthSyncManager() authorization.SyncManager {
if s.syncManager == nil {
return nil
}
return &authSyncManagerWrapper{sm: s.syncManager}
}
func (w *authSyncManagerWrapper) GetPeers() []string {
return w.sm.GetPeers()
}
func (w *authSyncManagerWrapper) IsAuthorizedPeer(url, pubkey string) bool {
return w.sm.IsAuthorizedPeer(url, pubkey)
}
// =============================================================================
// Message Processing Pause/Resume for Policy and Follow List Updates
// =============================================================================
// PauseMessageProcessing acquires an exclusive lock to pause all message processing.
// This should be called before updating policy configuration or follow lists.
// Call ResumeMessageProcessing to release the lock after updates are complete.
func (s *Server) PauseMessageProcessing() {
s.messagePauseMutex.Lock()
}
// ResumeMessageProcessing releases the exclusive lock to resume message processing.
// This should be called after policy configuration or follow list updates are complete.
func (s *Server) ResumeMessageProcessing() {
s.messagePauseMutex.Unlock()
}
// AcquireMessageProcessingLock acquires a read lock for normal message processing.
// This allows concurrent message processing while blocking during policy updates.
// Call ReleaseMessageProcessingLock when message processing is complete.
func (s *Server) AcquireMessageProcessingLock() {
s.messagePauseMutex.RLock()
}
// ReleaseMessageProcessingLock releases the read lock after message processing.
func (s *Server) ReleaseMessageProcessingLock() {
s.messagePauseMutex.RUnlock()
}
Reference in New Issue View Git Blame Copy Permalink